Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Versions of plugins from settings.gradle are not checked #367

Open
koral-- opened this issue Dec 30, 2019 · 11 comments
Open

Versions of plugins from settings.gradle are not checked #367

koral-- opened this issue Dec 30, 2019 · 11 comments

Comments

@koral--
Copy link

koral-- commented Dec 30, 2019

Steps to reproduce:

  • use Gradle 6.x
  • add some plugin with old version to settings.gradle(.kts) for example "com.gradle.enterprise"
  • invoke updateDependencies task
plugins {
    id("com.gradle.enterprise") version "3.1"
}

At the time of writing there is a version 3.1.1.

More info about build scan plugin: https://docs.gradle.com/enterprise/gradle-plugin/#gradle_6_x_and_later
@ben-manes
Copy link
Owner

I suppose we would need to use Settings and evaluate both getBuildscript() and getPluginManagement().

@nedtwigg
Copy link

nedtwigg commented Mar 27, 2020
edited

Closely related, it also does not check for these in the settings.gradle file:

pluginManagement {
  plugins { ...

@ben-manes
Copy link
Owner

Yes, see my comment above @nedtwigg. We would need to use both of those methods to capture those dependencies. Since those are not configurations, we'd have to make a detached configuration with the dependencies, repositories, and resolution strategy that those methods provide. Then resolve and print in the report with everything else.

@ben-manes ben-manes mentioned this issue Feb 8, 2022
Closed
@jaredsburrows
Copy link
Collaborator

It looks like dependabot is able to do this: jaredsburrows/cs-interview-questions#29.

@ben-manes
Copy link
Owner

Yes, if I recall correctly they use simple regex parsing of the build files rather than executing it. That has other limitations.

The long-term approach that Github/Gradle are pursuing is outlined in this proposal and github issue. This would be similar to having static analyzers produce SARIF reports that the Github Security dashboard consumes, so it could simply be an action that feeds the current dependency graph into Github for a monitoring dashboard.

@ben-manes ben-manes mentioned this issue Jan 16, 2023
Open
@Vampire
Copy link
Contributor

Vampire commented Feb 6, 2023

https://github.com/jmfayard/refreshVersions can also handle it, so would be nice to have it here too :-)

@ben-manes
Copy link
Owner

PRs welcome. 😁

@Vampire
Copy link
Contributor

Vampire commented Feb 6, 2023

As always and everywhere :-D

@ianbrandt
Copy link

Just adding a use case, the Foojay Toolchains Plugin.

@ben-manes
Copy link
Owner

if someone wants to try this idea and send a pr that would be appreciated.

@Vampire
Copy link
Contributor

Vampire commented Nov 9, 2023

Btw. imo pluginManagement { plugins { ... } } does not necessarily need to be checked. It's the same as plugins that are defined in a version catalog but not used anywhere. That block just defines versions that are used when a plugin later is applied without version. So if it is applied and thus used, it will already be covered (for project plugins already now, for settings plugins with this issue fixed).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Vampire @ben-manes @ianbrandt @jaredsburrows @nedtwigg @koral--